Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • CIS Control 3: Data Protection
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware

CIS Control 3: Data Protection

5 years ago Craig Young
CIS Control 3: Data Protection

For many years, there was a wide misunderstanding that encrypting some data is equivalent to protecting that data. If it’s encrypted, so the thinking goes, nobody else could access it, and it is therefore safe. While it is critical to encrypt data at rest as well as in transit, the job of protecting data goes much deeper. Encryption can mitigate risk from certain attack scenarios such as physically compromised hardware or a tapped network link, but users and systems which handle the unencrypted data can still be readily targeted. CIS Control 3 provides a playbook for establishing a comprehensive data management plan with security at the forefront.

Key Takeaways for Control 3

At the heart of a strong data management plan is awareness surrounding the ‘Five Ws’ of the enterprise’s data:

  1. What data does the enterprise store or handle?
  2. Who should have access to it?
  3. Where is it stored or accessed?
  4. When should it be deleted?
  5. Why does it need protection?

A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes as well as being able to classify it based on sensitivity are the keystones of such a plan.

Classifications suggested by CIS are “Sensitive,” “Confidential,” and “Public,” but enterprises may find the need for more custom data labels. The goal of a data inventory and classification is to segment systems based on the types of data they handle and develop fine-grained user permissions to limit data exposure. Data should not only be stored separately based on its classification, but systems which handle the data should also be segmented with users restricted to access only what they need. Classifications should also be tied to compliance obligations, where appropriate, and include things like minimum and maximum data retention times as well as contextual incident response plans.

Safeguards for Control 3

3.1) Establish and Maintain a Data Management Process

Description: Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements based on sensitivity and retention standards for the enterprise. Review and update documentation annually or when significant enterprise changes occur that could impact this safeguard.

Notes: The security function associated with this safeguard is Identify, and it is a big one. This control encompasses most of the key takeaways discussed above for Control 3. The process of establishing and maintaining a data management process will be supported by some of the safeguards discussed next.

3.2) Establish and Maintain a Data Inventory

Description: Establish and maintain a data inventory based on the enterprise’s data management process. Inventory sensitive data at a minimum. Review and update inventory annually at a minimum with a priority on sensitive data.

Notes: The security function associated with this safeguard is Identify. The objective here is to have complete awareness over what data is produced, consumed, and retained on a network.

3.3) Configure Data Access Control Lists

Description: Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.

Notes: The security function associated with this safeguard is Protect. Success with this control means that every user and every system has access to exactly what they need and nothing more. This can be particularly tricky to implement with respect to network administrators who may typically have access to everything within a network.

3.4) Enforce Data Retention

Description: Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines.

Notes: The security function associated with this safeguard is Protect. The specific data retention policy to enforce should be informed by both regulatory compliance and common sense. The need to retain data for insight may need to be counter-balanced by the desire to avoid a headline-grabbing data breach.

3.5) Securely Dispose of Data

Description: Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.

Notes: The security function associated with this safeguard is Protect. This safeguard applies to all forms of data in both digital and hard copy. Commercial services are readily available to assist with the secure disposal of data.

3.6) Encrypt Data on End-User Devices

Description: Encrypt data on end-user devices containing sensitive data. Example implementations include Windows BitLocker®, Apple FileVault®, and Linux® dm-crypt.

Notes: The security function associated with this safeguard is Protect. Encrypting data on devices mitigates risk associated with stolen or otherwise physically compromised devices. Encrypting data on these devices impedes an adversary’s ability to collect useful information from a compromised system. Using disk encryption does not generally protect data against malware infections, but it is possible to apply additional encryption to further safeguard sensitive data when not being accessed.

3.7) Establish and Maintain a Data Classification Scheme

Description: Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels such as “Sensitive,” “Confidential,” and “Public” and then classify their data according to those labels. Review and update the classification scheme annually or when significant enterprise changes occur that could impact this safeguard.

Notes: The security function associated with this safeguard is Identify. This safeguard represents a very fundamental step toward data protection. Having strict criteria for classifying data can inform other safeguards related to restricting data access. Classification labels may also feed into other policies such as data retention and incident response.

3.8) Document Data Flows

Description: Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually or when significant enterprise changes occur that could impact this safeguard.

Notes: The security function associated with this safeguard is Identify. Taking steps to map out how data flows through an organization is instrumental toward safeguarding that data. This mapping when combined with data classifications can be used to vastly harden organizational data protection.

3.9) Encrypt Data on Removable Media

Description: Encrypt data on removable media.

Notes: The security function associated with this safeguard is Protect. Removable media can be more easily misplaced or stolen. Encrypting data on removable media can protect against inadvertent data loss in such an event.

3.10) Encrypt Sensitive Data in Transit

Description: Encrypt sensitive data in transit. Example implementations include Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).

Notes: The security function associated with this safeguard is Protect. Beyond simply encrypting data in transit, it is critical to make sure the encryption is properly authenticated. For TLS, this typically means that remote systems should have valid DNS identifiers with certificates signed by a trusted certification authority (CA). If the CA is local, additional protections must be made to ensure the integrity and confidentiality of the CA. For SSH, this means validating host keys and investigating any connection warnings. In both cases, it is also critical to configure services to use protocol versions and ciphers.

3.11) Encrypt Sensitive Data at Rest

Description: Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as “server-side encryption,” meets the minimum requirement of this safeguard. Additional encryption methods may include application-layer encryption, also known as “client-side encryption,” where access to the data storage device(s) does not permit access to the plain-text data.

Notes: The security function associated with this safeguard is Protect. As noted, storage-layer (disk) encryption is only a minimum requirement. While disk encryption can protect against some threats, many common threats facing enterprise networks are unimpeded by disk encryption. Additional application-layer encryption can limit what data may be accessible even when a system has become fully compromised.

3.12) Segment Data Processing and Storage Based on Sensitivity

Description: Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.

Notes: The security function associated with this safeguard is Protect. At the extreme, an organization could implement this safeguard by having multiple networks where each is assigned a sensitivity level. The goal here is to prevent an attacker who has gained access to some data to have access to all the data.

3.13) Deploy a Data Loss Prevention Solution

Description: Implement an automated tool such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets including those located onsite or at a remote service provider as well as to update the enterprise’s sensitive data inventory.

Notes:  The security function associated with this safeguard is Protect. DLP tools are a powerful tool against accidental data loss, but they may offer little protection against a determined attacker intentionally exfiltrating data.

3.14) Log Sensitive Data Access

Description: Log sensitive data access including modification and disposal.

Notes: The security function for this safeguard is Detect. Maintaining an audit trail of how sensitive data was accessed can subsequently provide evidence of how a data incident occurred.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

The post ” CIS Control 3: Data Protection” appeared first on TripWire

Source:TripWire – Craig Young

Tags: Compliance, Critical Severity, Linux, Microsoft, TripWire

Continue Reading

Previous What Ragnar Locker Got Wrong About Ransomware Negotiators – Podcast
Next CISA Warns of Actively Exploited Zoho ManageEngine ADSelfService Vulnerability

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Microsoft’s MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday

17 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

[Webinar] Why Your AppSec Tools Miss the “Lethal Path” (and How to Fix It)

19 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Most Remediation Programs Never Confirm the Fix Actually Worked

19 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws

20 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware

GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data

22 hours ago [email protected] (The Hacker News)

Recent Posts

  • Microsoft’s MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
  • Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
  • [Webinar] Why Your AppSec Tools Miss the “Lethal Path” (and How to Fix It)
  • Most Remediation Programs Never Confirm the Fix Actually Worked
  • Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT